Automotive Cybersecurity

Empowering Tomorrow’s Cybersecurity with Today’s Expertise

Today’s vehicles are becoming more connected, autonomous, shared, and electrified (CASE). They are no longer “just” motor cars, but rather software defined vehicles and data-sharing powerhouses. Connectivity features are constantly increasing potential attack surfaces, and hackers are eager to exploit any vulnerability to perform attacks, preferably remotely.
Furthermore, upcoming and updated regulations and standards like the ISO/SAE 8477 or the Cyber Resilience Act (CRA) will also force the automotive industry to intensify their efforts to mature their cybersecurity practices in product development.
The technical environment undergoes continuous evolution, posing increased risks not only to individual vehicles but also on a larger scale, via backend servers, charging infrastructure, and application interfaces. The influence of both Applied AI and Generative AI significantly impacts the threat level, as well as contributes to enhancing cybersecurity solutions for in-vehicle systems, network communication monitoring, over-the-air software updates and charging infrastructure.
Hence, effective cybersecurity solutions are essential for the holistic protection of connected vehicles, their passengers and manufacturers. AVL, a certified partner under ISO/SAE 21434 and ENX VCS, with expertise in automotive cybersecurity since 2016. In the recent years we dedicated over 400 person-months to cybersecurity projects, with a strong emphasis on research and development. Additionally, AVL offers tailored solutions with exceptional flexibility to meet diverse customer needs. Our team comprises about 40 cybersecurity specialists who possess comprehensive expertise across the entire product life cycle. Our holistic approach positions AVL as a premier automotive cybersecurity partner and we support OEMs and suppliers with cybersecurity services that cover the entire product life cycle.

Get in touch with us by sending an email to cybersecurity@avl.com.

Risk Analysis and Concept

Do you want to successfully apply the Security-by-Design principle?
With our experience, based on conducting hundreds of Threat Analysis and Risk Assessments (TARAs) and developing Cybersecurity Concepts over different vehicle functions, AVL’s TARA Service offers a comprehensive risk assessment by providing in-depth analysis of potential threats specific to your system like .
We leverage advanced techniques and industry-leading expertise (with more than 30k+ hours) to identify, assess, and prioritize risks, enabling you to make informed decisions and take proactive measures to protect your assets. This is supported by a Concept with a set of minimum cybersecurity requirements your system must comply with. Our expertise includes an excellent management of an ISO/SAE 21434 based methodology for TARA, as well as our capacity to adapt to new proposed methodologies and successfully evaluate the risks.
We ensure that potential cybersecurity issues are found and mitigated from the earliest stage in the product lifecycle, therefore securing satisfactorily the Security-by-Design principle.

Architecture Development

AVL offers comprehensive cybersecurity integration, deploying robust mechanisms across multiple ECUs (i.e. Classic or Adaptive AUTOSAR based) while ensuring SOP maturity at every stage.
Our experience includes defining cybersecurity specifications for complex systems based on mitigations proposed by previous risk analysis and concepts.
At the same time, we ensure that cybersecurity requirements are successfully implemented and that the impact over the actual system functionality is not compromised due to tight restrictions.
With the cybersecurity architecture, we ensure that the different stakeholders involved in the process can include the necessary cybersecurity requirements. We look ahead, so that specifications are defined for development and adapted for testing. Our objective is that the system continues to comply with the Security-by-Design principle.
Complementary to the requirements, we can support as well on defining technical concepts as the needs of the project require them. A range of concepts and specifications we have worked on are outlined below.

Concept Development

  • Secure On-board Communication
  • Secure Diagnosis Interface
  • Secure Boot
  • Secure Logging
  • Secure Flashing
  • Secure Debugging

Architecture & Technical Specifications

  • Secure Network Communication Protocols
  • Network Security
  • Key Management
  • Secure File Transfer
  • POSIX Operating System Security
  • Security material management (credentials and relevant cryptographic material)
  • Vulnerability Management Process (support on the definition of)

Implementation

At AVL, we are committed to protect your digital assets with cutting-edge cybersecurity software tailored to your needs. We collaborate closely with your team to deploy robust and tailored cybersecurity solutions across various applications with established production readiness.
Our cybersecurity software development process is characterized by meticulous attention to cybersecurity requirement compliance and a commitment to delivering solutions that meet the unique needs of your organization. Leveraging state-of-the-art tooling and industry best practices, our team of experts will work together with you to ensure comprehensive security coverage using also hardware specific security features like onchip-HSM.
A broad range of security features tailored to customer’s and OEM’s need is offered and outlined below.

Security Features

  • Debug protection – Deactivation and reactivation of hardware debug interfaces, secured by cryptographic mechanisms
  • Certificate verification and management inc. PKI (Public key infrastructure)
  • Secure Flashing
  • Secure Authentication
  • Secure On-board Communication
  • Secure Logging
  • Secure Life-cycle Managmenet
  • Secure Activation and Deactivation of Functionalities
  • Secure & Authentic Boot
  • Secure Variant Coding
  • Validation of Data Integrity

Verification & Validation Activities

“How to ensure, your product is secure?” Verification and Validation is key!

Following established processes, using qualified tools and employ skilled engineers helps in designing for security, but even in best environments, mistakes will happen!
At AVL, we are backing our internal developments but also individual customers up with various security focused verification and validation activities to identify procedural, conceptual and implementation flaws as soon as possible in the development process and especially before they can be exploited in the wild.

  • Following the shifting-left-approach, our testers get involved in concept and development activities as reviewers or consultants to bring in the tester’s perspective early and add value right away.
  • We team up with our general testing colleagues to complete their formal verification methods with the security-mindset and -tooling, increasing test completeness and confidence in the results in functional security testing.
  • In our supreme discipline Penetration Testing, we take on the attacker’s role ourselves and validate the final product against the overall security objectives assigned to it by applying methods and techniques from the dark side, of course in an ethical way.

For this skill- and knowledge driven domain, we can capitalize on a rich pool of resources.

  • Our team consists of qualified and certified specialists (e.g. ISTQB, OSCP, etc.) with a deep understanding of technologies, the mindset and curiosity to dive deeper into the bits and bytes and electrons, the endurance to pursue a goal and the professionality to act responsibly with their skills and knowledge.
  • The toolbox at hand is crafted from established industry standards, completed with open-source tools, and self-developed tailored test suites in close collaboration with our partners specialized in tool development.
  • TISAX qualified facilities (dedicated security laboratory and a garage) allow hands-on work on all scales of System-under-Tests from single ECUs up to complete prototype and serial vehicles, whilst the information security requirements of our customers are ensured to be met at all times.

At the end, we increase the confidence that the intended level of security was reached by the product before it hits the road. This is how we ensure that your product is secure!

Continuous System Care

By providing Continuous System Care service AVL ensures comprehensive protection with the thorough monitoring of vulnerabilities and threats during both development and post-development stages.
Shifting to the left. Security activities start from the very beginning of the project. As a result, Software Bill of Materials (SBoM) covers all the Software inventory of the project, rendering it vulnerability-free upon completion.
Multiple intelligence sources, public and private vulnerability databases, information on the real-world threats – extensive coverage of the relevant information provides a comprehensive overview of the threat landscape. It’s not merely about security awareness, but confidence that every aspect of your product security is considered.
Security analysts, penetration testing experts, software development team. Professionals from all the fields of the automotive development will take care of analysis, verification, and possible mitigation of the findings. It does not matter whether it is a public vulnerability with the detailed technical information or threat intelligence offering only basic details, we will thoroughly investigate it for you. As a product transitions into the post-development phase, it becomes accessible to customers and other stakeholders. That is why maintaining product’s security goes beyond routine vulnerability monitoring, where Open-Source Intelligence (OSINT) steps in — a critical component in threat identification. Our meticulous approach in finding information across the surface, deep, and dark web, including specialized blogs, forums and communities provides a substantial help for you in addressing potential vulnerabilities and emerging threats.

Consulting and Training

Embark on a journey towards UNECE R155 compliance with AVL, your trusted partner in automotive safety and security. As an ISO/SAE 21434 and TISAX VCS ENX certified partner, we have demonstrated excellence through countless customer assessments and audits, paving the way for clients to obtain essential certifications with confidence. Our comprehensive consulting and training services cover a spectrum of tasks, ensuring that your organization is equipped with the knowledge and expertise needed to meet regulatory requirements effectively. From tailored guidance to hands-on training, AVL is committed to empowering your team and safeguarding your automotive endeavours.
Our consulting and training service encompasses the following tasks:

  • GAP Analysis
  • Process Set-up
  • Conducting Assessment / Audit
  • Certification Support
  • Technical Consulting
  • Project Security Management as Service
  • Coacing of Chief Product Security Officers (CPSO)
  • Customized Trainings like: Cybersecurity Standards in Automotive (UNECE R155, ISO/SAE 21434, ISO 8477), Ethical Hacking Automotive Systems, Cybersecurity Management in Software Development Projects, Threat Analysis and Risk Assessment (TARA)

If you want to get further information about Cybersecurity at AVL send an E-Mail to cybersecurity@avl.com.

If you want to get further information about the AVL SecGuard tool click here!